$I30

Keeps track of what files exist in what directories.

SANS Digital Forensics and Incident Response Blog | NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files | SANS Institute

NTFS Index Attributes

File Location:

Parse Data

Considerations

What is $I30

$BITMAP:

• Tracks which index records are in use.

$INDEX_ROOT:

• Only resident files and a small # of files.

$INDEX_ALLOCATION:

• Non-resident and a large # of files.

INDEX_ROOT + INDEX_ALLOCATION + $BITMAP = $I30

What data does it contain?

• Full filename

• Parent directory (useful if you recover a $I30 file in free space and do not know its origin)

• File size

• Creation Time

• Modification Time

• MFT Change Time

• Access Time

$FILE_NAME attribute timestamps and not $STANDARD_INFORMATION timestamps

Anti-Forensics

• Provides a seperate set of timestamps to be compared for timestomping.

• $I30 slack space may hold evidence of deleted files within directories.